[WBEL-users] /etc/shadow and Samba

[Shawn M. Jones]

On Wed, 23 Jun 2004, Mario Gamito wrote:
> I'm running Samba (3.0.4 compiled by me) in WBL.
> I have this script in smb.conf that allows Windows users to change their
> domain password from their Windows machines.
> 
> Well, the problem is that /etc/shadow has permissions -r-------- and
> obviously this way there's no password change for anyone.
> I tried giving 777 permission to /etc/shadow and it worked, but
> obviously that's not what i want :P
> 
> Is there a way to turn this around without messing with /etc/shadow
> permissions ?

You could make your script owned by root and suid, allowing it to change
permissions of /etc/shadow while it's running and updating /etc/shadow
with new data.  I'd suggest having it change it back to 0400 when it's 
done.  

Some security experts think suid is a bad way of doing things, 
primarily because the script is running AS ROOT, and anything that can 
make it crash can give the person running it root privs, but it might be 
the best option you have.

The unix passwd command has suid permissions, and that's how it
accomplishes said goal:

-r-s--x--x    1 root     root        16248 Dec 12  2003 /usr/bin/passwd

Hope this helps,

Shawn M. Jones